Black Code: Inside the Battle for Cyberspace
Page 18
At the very moment that Russia, China, and their allies are pushing for greater international controls over cyberspace, their primary adversary, the U.S. and its ally Israel not only engage in but appear to tacitly acknowledge their responsibility for the world’s first act of cyber sabotage against a critical infrastructure facility. As former NSA Director Michael Hayden remarked, “Somebody crossed the Rubicon.” The age of cyber warfare is finally upon us.
11.
Stuxnet and the Argument for Clean War
News of Stuxnet first emerged in June 2010 when it was identified by a small Belarus security company, VirusBlokAda. Later, the German researcher Ralph Langner undertook a detailed “decoding” of the virus and helped determine that its target was the specific type of Siemens-produced equipment used at the Iranian Natanz nuclear facility. Speculation quickly grew that the Israelis and/or Americans were behind Stuxnet. Who else could disrupt Iranian nuclear enrichment plants with such stealth and precision? Either the Americans or Israelis, or both acting together, most assumed, and there was growing circumstantial evidence.
The Israelis are generally coy about their military prowess and secretive about their hardware (e.g., their nuclear weapons arsenal). Was it just a slip of the tongue at the retirement party for Lieutenant General Gabi Ashkenazi, the former head of the Israel Defense Forces, when celebrants appeared to claim Stuxnet as one of his major successes? (There was even an hilarious Israeli commercial done for a cable TV company showing what appears to be three bumbling Mossad agents undercover as hijab-wearing women in Iran blowing up a centrifuge after accidentally pressing a button on a Samsung tablet.) American officials also spilled some beans. In December 2010, Gary Samore, White House Coordinator for Arms Control and Weapons of Mass Destruction, Security and Arms Control, told the Foundation for Defense of Democracies in Washington: “We’re glad they are having trouble with their centrifuge machine and that we, the U.S. and its allies, are doing everything we can to make sure that we complicate matters for them.”
The leaks and speculations on authorship obscure a more important point: the formidable weapon itself and the precedent it sets. A June 2012 New York Times article by David E. Sanger describes the planning and operational process behind the Stuxnet virus -how it began under President Bush as “Operation Olympic Games” (OOG), and was passed on to the Obama administration. Upon leaving office, Bush pressed Obama to continue the program, and Sanger describes Obama as being enthusiastic about it, even pushing forward with OOG despite errors in the coding that led to the virus spilling out beyond the Iranian targets to computers in other countries, and from there to the Belarus security firm.
The attack was planned and tested on a dummy Iranian nuclear enrichment plant, a fake target built from scratch in the United States. The New York Times reported that in early 2008 Siemens co-operated with the Idaho National Laboratory (part of the U.S. Department of Energy) to identify the vulnerabilities of Siemens computer controls used to operate industrial machinery around the world. From intelligence gathered by the Americans, it was known that Siemens equipment was being used in Iran’s enrichment facilities. Around the same time, the Department of Homeland Security teamed up with the same Idaho lab to study a widely used Siemens control system known as PCS-7. The vulnerability of PCS-7 to cyber attack had been an open secret since Siemens and the Idaho National Lab outlined at a conference in July 2008 the kinds of manoeuvres that could exploit holes in its systems to meet a number of goals, including gaining remote control. Meanwhile, the Israelis started to experiment on an industrial sabotage protocol based on a mockup they had designed of Iran’s enrichment program.
The code behind Stuxnet was far larger than a typical worm, considerably more detailed, and it contained some brilliantly crafted and highly suggestive elements, including clues as to Israel’s direct involvement. Symantec researcher Liam Ó Murchú noted that his company had uncovered a reference to an obscure date in the worm’s code: May 9, 1979, the day, shortly after the Iranian Revolution, when a prominent member of the Iranian Jewish community, Habib Elghanian, became the first Jew executed by the new Islamic government. Berlin-based security expert Felix Lindner then found that all manually written functions in Stuxnet’s payload bore the time stamp “September 24, 2007,” the day President Mahmoud Ahmadinejad first publicly questioned whether the Holocaust took place, during a speech at New York’s Columbia University. Lindner found a file inside the code named Myrtus, and speculated this could be a reference to the Book of Esther, an Old Testament story where the Jews pre-empt a Persian plot to destroy them. It is hard to believe the Israelis would unwittingly leave such tell-tale signs of their involvement in Stuxnet; much more likely they show a deliberate intention to drop coy admissions of prowess.
A remarkable component of Stuxnet was its ability to cross “air-gapped” computing systems that are not actually connected to the Internet. In April 2012, the website Isssource.com, belonging to Industrial Safety and Security Source, published an article alleging that “former and serving U.S. intelligence officials” had said that an Iranian double agent working for Israel had inserted Stuxnet into the Iranian control systems using a corrupt memory stick. The article’s author, former United Press International journalist Richard Sale, stated that the double agent was probably a member of the Iranian dissident group, the Mujahedeen-e Khalq (MEK), a shadowy organization with Israeli government connections that is believed to be behind the assassinations of key Iranian nuclear scientists.
Stuxnet was specifically designed to infect only certain types of supervisory control and data acquisition (SCADA) systems used for real-time data collection, and to control and monitor critical infrastructure – hydro-electrical facilities, power plants, nuclear enrichment systems, and so on. The programs used to control the physical components of SCADA systems are called programmable logic controllers (PLCS), and Stuxnet was developed in such a way as to target only two types of PLC models controlled by the Siemens Step 7 software –S7–315 and S7–417 – both of which are used in the Iranian nuclear centrifuges.
Stuxnet was designed to disable the centrifuges by inducing rapid fluctuations in the rotation speed of their motors. Unchecked, this would eventually cause them to blow apart, and one of the most remarkable aspects of the virus was a piece of deception created to confuse Iranian personnel monitoring the plants. Stuxnet secretly recorded what normal operations at the plant looked like, and then played these readings back to the plant operators (like a pre-recorded security tape) so that everything seemed to be in good order. While the operators were watching a normal set of operating results on their monitors, the centrifuges were actually spinning out of control. According to the New York Times, over and over again the Iranians sent teams of scientists down to the centrifuges with two-way radios, reporting back to the operators what they witnessed. They were utterly bewildered by the discrepancy between what they were seeing first-hand in the physical plant and what the monitors were reporting to the operators. Stuxnet was designed, as one insider put it, to make the Iranians “feel stupid.”
• • •
While remarkably complex in some ways, Stuxnet is hardly extraordinary in others. Some analysts have described it as a Frankenstein of existing cyber criminal tradecraft – bits and pieces of existing knowledge patched together to create a chimera. The analogy is apt and, just like the literary Frankenstein, the monster may come back to haunt its creators. The virus leaked out and infected computers in India, Indonesia, and even the U.S., a leak that occurred through an error in the code of a new variant of Stuxnet sent into the Natanz nuclear enrichment facility. This error allowed the Stuxnet worm to spread into an engineer’s computer when it was hooked up to the centrifuges, and when he left the facility and connected his computer to the Internet the worm did not realize that its environment had changed. Stuxnet began spreading and replicating itself around the world. The Americans blamed the Israelis, who admitted nothing, but whoever was at fault, the toothpas
te was out of the tube.
The real significance of Stuxnet lies not in its complexity, or in the political intrigue involved (including the calculated leaks), but in the threshold that it crossed: major governments taking at least implicit credit for a cyber weapon that sabotaged a critical infrastructure facility through computer coding. No longer was it possible to counter the Kasperskys and Clarkeses of the world with the retort that their fears were simply “theoretical.” Stuxnet had demonstrated just what type of damage can be done with black code.
• • •
For some, Stuxnet represents a dangerous and highly unpredictable new form of conflict; for others, it taps into something far more attractive, the prospect of “clean” or “civilized” warfare: precise, surgical, virtual, and, most importantly, bloodless. “You’re seeing an evolution of warfare that’s really intriguing,” argues Phil Lieberman, a security consultant and chief executive of Lieberman Software in Los Angeles, “… warfare where no one [dies].” The minister in charge of Britain’s armed forces, Nick Harvey, echoes a similar sentiment: “[If] a government has arrived at the conclusion that it needs, out of its sense of national interest or national security, to deliver an effect against an adversary … arguably this [Stuxnet] is quite a civilized option.”
The appeal of this argument is intuitive. If we can undertake acts of sabotage without killing or physically harming people, this does seem to represent progress, a new, gentler form of warfare. In this respect, the argument is the exact inverse of the neutron bomb debates of the 1970s and 1980s. The neutron bomb was an enhanced radiation weapon under development during the Carter and Reagan administrations that would kill people while leaving buildings and infrastructure intact, through a highly concentrated dispersal of radioactive material. (Soviet General Secretary Leonid Brezhnev memorably described it as a “capitalist bomb” because it would destroy people, but not property.) Stuxnet-type weapons, on the other hand, are more like something inspired by Unabomber Ted Kaczynski: they would target industrial-technological systems, but leave people alone.
The attraction of technology that allows one to believe in sanitary or “virtual war” has a long pedigree. Political scientist James Der Derian has spent considerable time turning over the argument, and believes that the appeal of high-tech means of fighting clean wars comes from it being “the closest we moderns have [come] to a deus ex machina swooping in from the skies to fix the dilemmas of world politics, virtually solving intractable political problems through technological means.” But the “solutions” offered by virtual war mask the violence that invariably accompanies the use of high-impact technological weapons, and ignores the new problems and unforeseen consequences that arise. When high-tech weapons are marketed, available, and perceived as “clean,” there are strong pressures to adopt military over diplomatic solutions in times of crisis. “When war becomes the first, rather than the last, means to achieve security in the new global disorder,” says Der Derian, “what one technologically can do begins to dominate what one legally, ethically, and pragmatically should do.” Meanwhile, the actual killing involved in warfare recedes into the background the more the application of force resembles a machinelike simulation or a computer game. “Virtuous war is anything but less destructive, deadly or bloody for those on the receiving end of the big technological stick.”
Stuxnet-style attacks may seem like a higher order of sanitized conflict, but the Iranians undoubtedly do not feel that way. The question is, how will they react to Stuxnet? They may continue to develop and refine their own cyber warriors who will attack back with their own black code. In response to Stuxnet, Brigadier General Gholamreza Jalali, the head of Iran’s Passive Defense Organization, said that the Iranian military was prepared “to fight our enemies [in] cyberspace and Internet warfare.” Writing in the Bulletin of the Atomic Scientists, R. Scott Kemp argues, “Each new cyberattack becomes a template for other nations – or sub-national actors – looking for ideas. Stuxnet revealed numerous clever solutions that are now part of a standard playbook. A Stuxnet-like attack can now be replicated by merely competent programmers, instead of requiring innovative hacker elites. It is as if with every bomb dropped, the blueprints for how to make it immediately follow. In time, the strategic advantage will slowly fade and once-esoteric cyberweapons will slowly become weapons of the weak.” And the Iranians’ response may not come via cyberspace at all, but rather in a way that is as spectacular and grotesque as Stuxnet was stealthy and clean. We can now only wait and see.
Apart from unintended blowback, another dynamic bears closer scrutiny: the politically calculated revelations about Stuxnet being a U.S. and Israeli operation will most certainly fan arguments for the legitimacy – indeed, the urgency – of governments developing their own cyber warfare capabilities, or risk being left behind. Stuxnet did not start the cyber arms race, but it marks a major milestone and raises the bar considerably. And this is only the beginning. In October 2012, President Obama signed Presidential Policy Directive 20, authorizing the U.S. military to engage in cyber operations abroad to thwart cyber attacks on U.S. government and private networks. The directive establishes the “rules of engagement” to guide the operations. An unnamed senior administration official told the Washington Post: “What it does, really for the first time, is explicitly talk about how we will use cyber operations … Network defense is what you’re doing inside your own networks … Cyber operations is stuff outside that space.”
The world’s most powerful state is now generally perceived as having been responsible for using computer code to successfully sabotage another country’s critical infrastructure, and for ramping up offensive operations across the board. Not surprisingly, other countries are following suit. A 2011 study undertaken by James A. Lewis and Katrina Timlin of the Center for Strategic and International Studies – notably, done prior to the 2012 Stuxnet revelations – found that thirty-three states included cyber warfare in their military planning and organization, with twelve already having plans to establish cyber commands in their armed forces. Some, like India, boast about developing offensive cyber attack capabilities, while others are no doubt just being more discreet.
• • •
A few weeks after the Stuxnet revelations hit the news, there was a brief event that passed quickly through the news cycle but deserved more attention. Twitter went dark for a few minutes, leaving the global Twitterati at a complete loss. Speculation and rumours abounded. Was this the work of the hacktivist group Anonymous? The Iranian government? According to Twitter’s company blog post, “Today’s Turbulence Explained,” the outage was due to a “cascading bug,” a bit of malware “with an effect that isn’t confined to a particular software element, but rather … ‘cascades’ into other elements as well.” Tweeting in response, the father of cyberspace, science fiction author William Gibson (known on Twitter as @GreatDismal), laid out a simple but alarming hashtag: #andsoitbegins.
And so it begins, a series of cascading bugs reaching deeper and deeper into the infrastructure that surrounds us, bugs that are accidental, partly accidental, and accidental by design. In 2010, under Operation Network Raider, American authorities won thirty convictions and seized $143 million worth of counterfeit network computer equipment manufactured in China. (One man, Ehab Ashoor, bought counterfeit Cisco equipment from an online vendor located in China, and was intending to sell it to the U.S. Marine Corps for combat communications in Iraq.) In 2012, a year-long probe by the Senate Armed Services Committee found 1,800 cases of fake electronic components destined for American military equipment: I million bogus parts, mostly from discarded electronic waste being recycled in China. The report found the bogus parts in SH-60B helicopters, in C-130J and C-27J cargo planes, in the U.S. Navy’s P-8A Poseidon plane. A July 2012 article in Ars Technica noted that “more than 500 days after Stuxnet the Siemens S7 has not been fixed.” That same month, Wired reported on a Canadian company, RuggedCom, that makes equipment and software for critical industrial con
trol systems. It had planted a backdoor (a means to remotely access a system) into one of their products, by design. The login credentials for the backdoor included a static username, “factory,” assigned by the vendor that couldn’t be changed by customers. The company-generated password was based on individual media access control (MAC) addresses for devices.
Researcher Justin W. Clarke (no relation to Richard Clarke) has shown how, by searching the Internet via the SHODAN search tool, anyone could discover MAC addresses for industrial control systems, and then employ a simple computer script he has engineered to log in to those industrial control systems. This is a far cry from the elaborate operational planning that went into Stuxnet: all that is involved is one person, one search, and one script, and the result is total access! Clarke quietly notified RuggedCom, which did nothing for months, leading him to go public with his discovery. “It is esoteric, it is obscure, but this equipment is everywhere,” said Clarke, explaining his reasoning. “I was walking down the street and they had one of the traffic control cabinets that controls stop lights open and there was a RuggedCom switch, so while you and I may not see it, this is what’s used in electric substations, in train control systems, in power plants and in the military. That’s why I personally care about it so much.” And as if this were not enough, the story ends on another menacing note: “RuggedCom, which is based in Canada, was recently purchased by the German conglomerate Siemens.”